cbcvebase.
CVE-2018-17552
published 2018-10-03

CVE-2018-17552: SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.06%
99.7th percentile
SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.

Affected

1 ranges
VendorProductVersion rangeFixed in
naviwebsnavigate_cms

Detection & IOCsextracted from sources · hover to see the quote

path/login.php
path../../../navigate_info.php
path/navigate/
  • Detect SQL injection authentication bypass via the 'navigate-user' cookie containing SQL payload (e.g., OR TRUE -- ) in requests to login.php
  • Monitor POST requests to /navigate_upload.php with query parameters 'session_id', 'engine=picnik', and 'id' containing path traversal sequences (e.g., '../../../') — indicates exploitation of CVE-2018-17553 chained with the auth bypass
  • A successful auth bypass results in an HTTP 302 redirect response from login.php and sets a session cookie prefixed with 'NVSID_'; monitor for this pattern following requests with a malicious navigate-user cookie
  • Detect multipart/form-data file uploads to /navigate_upload.php where the uploaded file has a JPEG content-type but contains PHP code — indicative of webshell upload
  • Alert on GET requests to /navigate/navigate_info.php immediately following a suspicious upload to /navigate_upload.php — this is the payload trigger step in the exploit chain
  • ·The exploit shuffles GET parameters on the upload request to evade order-dependent signature detection; detection rules must not rely on fixed parameter ordering for /navigate_upload.php
  • ·The uploaded PHP payload filename is randomly generated (10–15 alphanumeric characters) per exploit run; filename-based detection is not reliable and content-based inspection is required
  • ·The exploit overwrites navigate_info.php with the payload and attempts to restore it to empty after session establishment; forensic artifacts on disk may be transient

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.